Network security applications and systems include techniques for attempting to detect, halt, or prevent attacks against network assets (e.g., computers, servers, databases, etc.). While many typical intrusion detection systems (IDS) and intrusion prevent systems (IPS) attempt to observe data traffic as viewed at a monitoring point remote from a host that may be the target of an attack, such as at a firewall, the data traffic actually received by the target host may be different than the traffic as viewed at the monitoring point. Due to the different perspectives or host contexts between an IDS and a host, an attacker may be able to send one or more diversionary packets that enable a data flow or data stream to carry an attack to a victim host, without alerting an IDS, or conversely to deceive an IDS into believing that a particular attack is being attempted when in fact it is not. Attack signatures and known threat patterns can be obfuscated using evasive data flow techniques.
Protocols such as TCP/IP and others can be exploited by attackers by altering the method in which data traffic is sent between a source and a host or by modifying the actual data stream and individual packets. Protocol exploitation may be used to add, replace, or retransmit packets to a particular data stream to confuse an IDS or mask and obfuscate an attack. By modifying a data flow or stream, for example, by adding or substituting packets that would prevent an IDS from pattern matching or recognizing an attack, an attacker can evade detection and perform a successful attack, hack, or compromise of an asset. Further, data communication protocols provide a specific standardized set of algorithms for handling data traffic and, in so doing, provide the ability for an attacker to recognize and exploit a weakness in the protocol, particularly for destination hosts reassembling transmitted or retransmitted data packets, frames, segments, etc.
Thus, what is needed is a solution for detecting a network evasion or misinformation. Further, a solution for detecting evasive attacks exploiting data communication protocols is also desirable.